Configure LDAP global settings in jenkins - jenkins

I've set up a Jenkins instance, and am trying to set up LDAP and getting this error
Unable to connect to ldaps://server.domain.com:636 :
javax.naming.CommunicationException: server.domain.com:636 [Root
exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target]
The target server is using a self-signed certificate. Is there a way to disable certification checking? In another web server instance, we run it with
AUTH_LDAP_GLOBAL_OPTIONS = {
ldap.OPT_X_TLS_REQUIRE_CERT: False }
Could there be a similar option when using Jenkins?


You can override the Java default SSL factory like https://plugins.jenkins.io/skip-certificate-check
Or you can trust the cert by fetching the certificate public key and importing that into your ./jre/lib/security/cacert truststore.
export JAVA_HOME='/path/to/your/jre'
export LDAPHOST='LDAPHOST01.domain.ccTLD'
export LDAPSSLPORT='636'
export CERTFILENAME='/tmp/ldapcert.cer'
echo "" | openssl s_client -connect $LDAPHOST:$LDAPSSLPORT 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $CERTFILENAME
keytool -import -trustcacerts -alias $LDAPHOST -file $CERTFILENAME -keystore $JAVA_HOME/lib/security/cacerts
When you import the certificate, you will be asked for the keystore password. The default is 'changeit' ... otherwise whatever you've changed it to. Details on the cert will be displayed, and you will be asked if you really want to trust the certificate.
[lisa#linux02 checkSSLCertExpiry]# keytool -import -trustcacerts -alias $LDAPHOST -file $CERTFILENAME -keystore $JAVA_HOME/lib/security/cacerts
Enter keystore password:
Owner: CN=LDAPHOST01
Issuer: CN=LDAPHOST01
Serial number: 3a2542463f2d59bb4018f9e9179dd6a8
Valid from: Mon Jun 02 16:55:08 EDT 2014 until: Sun Jun 02 16:55:08 EDT 2019
Certificate fingerprints:
MD5: C3:33:62:B4:A8:30:05:54:3A:F9:AE:99:66:35:EB:22
SHA1: FA:C2:7B:5D:BF:74:05:58:EF:37:F1:AD:8D:8B:DF:02:93:4C:D8:7E
SHA256: BE:D6:DF:A9:4F:82:6B:AF:2C:C7:45:9B:B7:A4:0A:B4:9A:81:DB:8E:49:A2:38:16:49:83:F7:4C:D5:EC:61:E0
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
...
#4: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: LDAPHOST01
DNSName: LDAPHOST01.domain.ccTLD
]
Trust this certificate? [no]: yes
Certificate was added to keystore
A keytool command to verify the certificate exists in the store:
[lisa#linux02 checkSSLCertExpiry]# keytool -list -keystore $JAVA_HOME/lib/security/cacerts -alias $LDAPHOST
Enter keystore password:
LDAPHOST01.domain.ccTLD, Sep 28, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): FA:C2:7B:5D:BF:74:05:58:EF:37:F1:AD:8D:8B:DF:02:93:4C:D8:7E
Overriding Java's default trust mechanisms is once-and-done, but obviously removes all of the security that goes with verifying a certificate. Trusting the LDAP server's cert means you'll need to know every time the cert is renewed, and you'll need to import the new certificate into your cacerts file.
To avoid having auth fail every year or two when the directory server cert expires, I set up a certificate authority (CA) with a fairly long (10 years or so) validity. You can do this with a dedicated PKI infrastructure or simply OpenSSL. By importing the CA's public key into cacerts, you trust any certificate issued against the CA. So if the directory certificate is renewed every year, you don't need to do anything. In a decade when the CA cert is replaced, you'll need to add the new CA cert to the store.

Related

openssl command password problem for Kubernete certificate

I am trying to add certificate for Kubernetes, but when I run the following command on cmd (MacOS):
openssl ec -in mycompany-robert.key -out mycompany-robert.dkey
I get the following prompt:
read EC key
Enter PEM pass phrase:
Then I enter some password, but it is not accepted and get the following error:
unable to load Key
4315711020:error:06FFF064:digital envelope routines:CRYPTO_internal:bad
decrypt:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/
Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/evp/evp_enc.c:521:
4315711020:error:09FFF065:PEM routines:CRYPTO_internal:bad
decrypt:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/
Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/pem/pem_lib.c:469:
So, how can I fix the problem?

Curl Command Failing - SSL Certificate (Exit Code 60) Inside Docker Container Running on Windows Machine

There is a shell script that builds a Docker Image (calling a Dockerfile). In the Dockerfile there are several CURL commands like this:
The Docker Container is using base OS as : Debian GNU/Linux 10
RUN curl -s -L \
https://repo1.maven.org/ ...
RUN curl -s -L \
https://github.com/CodeNarc/ ... \
-o codenarc.jar
RUN curl -s -L \
https://repo1.maven.org/ ...
RUN curl -s -L \
https://repo1.maven.org/ ...
The above Dockerfile is running fine when the host machine is either Mac or Linux based.
But when we are trying to run this on Windows host machine the 2nd curl command i.e. to “github.com” is failing with SSL Certificate issue (Exit Code 60).
We are not doing anything related to PHP, so any such solution (related to php.ini file) is irrelevant for me.
Now I have tried almost everything available to solve this issue but nothing seems to be working:
Downloading cacert.pem file from given location and putting into “/etc/ssl/certs”, but it didn’t work
I tried using update-ca-certificate, but it didn’t work
Used --cacert <cacert.pem file location on docker container>, but this also didn’t work
The only solution working is with -k flag in curl command, but that is insecure and we don't want to use that.
I cant find any other solution for this, if anyone can help, it will be much appreciated.
Thanks
Adding on what I tried running openssl s_client -showcerts -connect github.com:443 on Windows Host Machine:
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3851 bytes and written 438 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 441C92CFBEA27773315E4A9476C3A5173F0A2AB0AADDE708568DD8752EAA8A5A
Session-ID-ctx:
Master-Key: DF6DB0BC64F84ADD5974694845136249AEBEFB2559009AAD2A5C27A6FC981915AB50A765914CAA8AFCAC904B9998FF54
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1614064531
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
depth=2 C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GINCH7
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1
Then I ran the same command from inside the Docker:
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3851 bytes and written 438 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 441C92CFBEA27773315E4A9476C3A5173F0A2AB0AADDE708568DD8752EAA8A5A
Session-ID-ctx:
Master-Key: DF6DB0BC64F84ADD5974694845136249AEBEFB2559009AAD2A5C27A6FC981915AB50A765914CAA8AFCAC904B9998FF54
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1614064531
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
---
depth=2 C = US, O = "Blue Coat Systems, Inc.", CN = Cloud Services CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Cloud Services, OU = Operations, CN = SSL-SG1-GINCH7
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1

Whatever is the problem, it is not related to the container itself, otherwise it will not work on Linux and macOS as well (providing the test was done in the same network). The problem could be in the Windows host or the network in which the host is residing.
Check the following:
Antivirus or a proxy running on the windows machine
Corporate firewall
Content/packet inspectors (DPI)
Trace the connection with tpcpdump / wireshark from both hosts and compare the traffic
Also, see which certificate is the problem with openssl s_client -showcerts -connect github.com:443 to find which certificate is the problem

jmeter - Got 'Keystore was tampered with, or password was incorrect' error doing distributed tests

Searched all the questions related to recover keyerror, got no answer on my situation.
So, I just have several simple operations:
install jmeter 4.0 (on centos 7)
cd to the bin directory, run ./create-rmi-keystore.sh and pressed Enter in each steps(entered a password 123654 at final step), and finally it gives me
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore rmi_keystore.jks -destkeystore rmi_keystore.jks -deststoretype pkcs12".
Copy the generated rmi_keystore.jks to jmeter/bin folder or reference it in property 'server.rmi.ssl.keystore.file'
so I run keytool -importkeystore -srckeystore rmi_keystore.jks -destkeystore rmi_keystore.jks -deststoretype pkcs12 and give a password 123654
It gives me:
Enter source keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
Can anybody give a hand, Thanks advance:)

solved by this , to answer the question What is your first and last name?, you'll have to reply with rmi which must be a corresponding value with server.rmi.ssl.keystore.alias in jmeter.propertise.

Retrieve certificate expiration date from an .ipa file?

I know how to view the expiration date of an .ipa file's provisioning profile (by renaming the ipa to zip, then unzip it and view the ExpirationDate key in the embedded.mobileprovisioning file).
But how can I view the expiration date of the certificate itself that was used to sign the ipa?
I found that you can use the codesign utility to "extract" certs:
codesign --display --extract-certificates /Applications/Example.app
This produces three files: codesign0, codesign1, codesign2. Not sure how to proceed after that.

Do the following:
unzip -q MyApp.ipa
$ codesign -d --extract-certificates Payload/*.app
$ openssl x509 -inform DER -in codesign0 -noout -nameopt -oneline -dates
After doing the above, you will get output with:
notAfter=Aug 4 16:08:00 2017 GMT
This is the certificate expiration date.

Xcode fails codesigning even though keys, certs and profiles are present and identifiers match up

project config:
CODE_SIGN_IDENTITY = "iPhone Developer: Maarten Billemont (9V38BLC46F)";
PROVISIONING_PROFILE = "6A477BC7-051A-4FE4-B285-E6E658937C24";
profile:
profile.mobileprovision.plist is the plist contents of the mobile provisioning profile:
$ PlistBuddy -c 'Print :Name' profile.mobileprovision.plist
iOS Team Provisioning Profile: *
$ PlistBuddy -c 'Print :UUID' profile.mobileprovision.plist
6A477BC7-051A-4FE4-B285-E6E658937C24
$ PlistBuddy -c 'Print :DeveloperCertificates' profile.mobileprovision.plist | grep -a Maarten
QTZ8SQGT6H1907U0iPhone Developer: Maarten Billemont (9V38BLC46F)10U
$ PlistBuddy -c 'Print :DeveloperCertificates:1' profile.mobileprovision.plist | openssl md5
cc0e202ff8be100352e04a4e9cc8763a
$ openssl md5 < ios_development.cer
cc0e202ff8be100352e04a4e9cc8763a
$ openssl x509 -inform der -subject -noout < ios_development.cer
subject= /UID=QTZ8SQGT6H/CN=iPhone Developer: Maarten Billemont (9V38BLC46F)/OU=7PCL8KGYD3/O=Tristan Interactive Inc./C=CA
keychain:
Common Name: iPhone Developer: Maarten Billemont (9V38BLC46F)
This certificate is valid.
This certificate has an associated private key.
This certificate and its private key are in the default keychain.
build result:
Check dependencies
Code Sign error: No codesigning identities found: No codesigning identities (i.e. certificate and private key pairs) that match the provisioning profile specified in your build settings (“iOS Team Provisioning Profile: *”) were found.
CodeSign error: code signing is required for product type 'Application' in SDK 'iOS 7.1'
question
What could be causing this code sign error? What other information could I gather to diagnose the problem? Can I somehow find out the exact codesign command used to double-check it's using the exact identifiers from the project configuration? How does it determine what keychain to look at? Can I run it in debug/diagnostic/verbose mode?

It is pretty well explained in the error message that the specified provisioning profile's certificate and private key pair does not exist in your keychain. Double check the certificate you had selected for the prov profile. Download it and place it again in your keychain. Then, reboot your computer.

Resources